Google fixed this a year after I reported this bug and yet refused to accept this as a vulnerability, got no luck with bug-bounties haha

Attack Scenario:

1. Attacker send youtube link and lure the victim click on it

2. The link redirects the victim to the attacker’s malicious phishing website requires youtube’s credentials

3. The victim enters his youtube credentials because he thinks he is still on youtube domain.

4. The attacker take over the victim’s youtube account (which is actually google account, so he can actually take over gmail drive, etc.)

PoC Video: https://www.youtube.com/watch?v=CcsJ8EXUIvA